I'm trying to understand how an email that appeared to come from our CEO's address (ceo@domain) was delivered to a user's inbox, even though Outlook flagged it with a warning about the sender's authenticity. We're using Exchange Online with the Defender 365 that comes with Business Premium. The email had multiple fail alerts - SPF, DMARC, and Compauth all indicated issues. It should have been recognized as an intra-organization spoof, yet somehow it got through. The user's settings were pretty standard, with no special trust configurations. Could there be a misconfiguration in our anti-phishing policies? And shouldn't an external email to an internal address raise a red flag? Looking for insights on where to focus next to troubleshoot this issue.
3 Answers
Have you looked at your SPF policies? If they're too lax or allow gray mail, that might be a factor. Also, confirm if the mail server that sent the email is part of the same provider network as yours, as that can complicate things.
Check any Exchange connectors you might have set up. Sometimes they can create loopholes that allow spoofed emails through, so it’s worth taking a peek at those.
Honestly, it feels like Microsoft has a mind of its own. They sometimes flag obvious spam while slipping through emails that fail all the checks. It's frustrating!
Right? It's like a game of chance sometimes!
We do have an internal SMTP relay connector and others for archival, but I don’t think they’re the problem here.